PeerAuthentication
PeerAuthentication
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
Examples:
Policy to allow mTLS traffic for all workloads under namespace foo
:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
For mesh level, put the policy in root-namespace according to your Istio installation.
Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo
, but
require mTLS for workload finance
.
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
Policy to allow mTLS strict for all workloads, but leave port 8080 to plaintext:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: DISABLE
Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite settings for port 8080
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: UNSET
portLevelMtls:
8080:
mode: DISABLE
PeerAuthentication.MutualTLS
Mutual TLS settings.
PeerAuthentication.MutualTLS.Mode
Name | Description |
---|---|
UNSET | Inherit from parent, if has one. Otherwise treated as PERMISSIVE. |
DISABLE | Connection is not tunneled. |
PERMISSIVE | Connection can be either plaintext or mTLS tunnel. |
STRICT | Connection is an mTLS tunnel (TLS with client cert must be presented). |